An access control system that controls access from a client device to an access target resource as a resource to be the target of access is known. For example, an access target resource is a file, a virtual machine, database, and/or an application program.
An access target device having an access target resource controls access from a client device to the access target resource based on access control information that includes information for specifying the access target resource, information representing the type of access, and so on (i.e., executes access control). In general, access control information is information having a different format for each access target resource.
Therefore, in a case that access control is executed on a plurality of access target resources, a user (e.g., a manager of an access control system) needs to properly set access control information for each of the access target resources. That is to say, the setup of access control information is cumbersome.
For the purpose of dealing with such a problem, an access control information generation system disclosed in Non-Patent Document 1 generates access control information for each of a plurality of access target resources based on policy information. Then, the access control information generation system transmits the generated access control information to an access target device associated with the access control information. The access target device receives the access control information, and executes access control based on the received access control information.
Consequently, the user can properly set access control information for each of a plurality of access target resources different from each other, by only setting policy information.    [Non-Patent Document 1] OGAWA Ryuichi, et al., “Authority Management Infrastructure for the Virtual Server Integrated Environment” NEC Technical Journal by NEC Corporation, Vol. 63, No. 2, pp. 129-133, April 2010
On a communication path from a client device to an access target device, a communication filter device that relays communication between the access target device and the client device is often installed. In this case, when the communication filter device does not permit communication by an address (e.g., an IP (Internet Protocol) address) for specifying the client device in a communication network, the client device cannot access the access target resource.
Further, an IP address is often assigned to the client device dynamically. For example, an IP address is often assigned to the client device so as to be different every time the client device is connected to the communication network.
Thus, an access control information generation system cannot acquire an IP address assigned to the client device until a time point that the client device accesses an access target resource. Therefore, it is impossible to set communication filter information for permitting communication by the client device in the communication filter device, at a time point earlier than the time point that the client device accesses the access target resource
Consequently, in an access control system to which the abovementioned access control information generation system is applied, even when the access target device permits communication by the client device, communication between the client device and the access target device is interrupted (forbidden) by the communication filter device, and consequently, there is a fear that the client device cannot access the access target resource.
That is to say, in an access control system to which the abovementioned access control information generation system is applied, there is a fear that the client device cannot smoothly perform access permitted by the access target device.